Internet2

close
Use Internet2 SiteID

Already have an Internet2 SiteID?
Sign in here.

Internet2 SiteID

Your organization not listed? Create a local account to use Internet2 services.

Create SiteID

Blogs

September 2018: NET+ Duo Update

Sep 17, 2018, by Nick Lewis
Tags: Duo Security, Internet2 NET+

As a follow-on for the overall NET+ program updates, we want to provide an update on the  NET+ Duo program as there are a few key updates since the last update in April 2018

The big news for Duo is the announcement of Cisco’s intent to acquire Duo Security. We’ve discussed the announcement with Duo and Cisco. At this point, the acquisition hasn’t closed, so it’s business as usual until the acquisition closes. If the Cisco acquisitions of Cloudlock provides any insight into the acquisition of Duo and the NET+ agreement, we anticipate a long lead time for any potential changes. Most campus questions have been around potential price increases and feature/functionality, and we are engaging both Cisco and Duo to get more detailed answers.

The NET+ Duo program has continued the transition of the existing InCommon Duo campuses to the updated NET+ Duo agreement. The NET+ Duo program now has 154 campuses signed up as part of the program with 15 new campuses in 2018. This scale allows us to engage strategically at a community level with Duo and share best practices and efforts across our membership.

We did a blog post with the National Cybersecurity Alliance, Duo Security, and EDUCAUSE on multi-factor authentication (MFA) usage in higher education using the NET+ Duo program. One of the highlights from the blog is that MFA deployments now reach more than 1.2 million faculty and staff and almost 2 million students, based on IPEDS data from 2017.

We continue to closely work with Duo on signing up new campuses and transitioning campuses to the updated agreement. We have received some common feedback and questions from campuses around pricing and how state law-related changes are included in the program.

We are asking campuses to start their legal reviews, so they are ready to transition to the updated program on their renewal. Duo will reach out to a campus 3 months prior to their renewal to start working on the details. Please contact your Duo account manager or Internet2 if you do not already have a copy of the campus agreement, so you can start reviewing it now. 

On required state law in the program, we have discussed with Duo on how NET+ has worked with campuses on other NET+ agreements to help manage expectations on how requested state law modifications are incorporated in a campus’ agreement. For other NET+ programs, we ask campuses for citations to the state law requiring the modification for our legal teams to review. Duo has been working with campuses on their requests. 

Price protection is one of the key changes included in the NET+ Duo agreement, especially for a service in transition, that’s not in the InCommon Duo agreement. Campuses will transition from their existing InCommon Duo subscription pricing to the NET+ Duo agreement with no change in price as long as there is no change in their service or expansion. On pricing, the NET+ Duo customer agreement in section 10.1 says: 
 
“Any pricing increase will not exceed three percent (3%) per year, unless the pricing was designated in the applicable Order Form as promotional or one-time; provided, however, the Fees for each renewal Term shall also not exceed the list price as of the start date of such renewal Term.”

Another key contract change includes a new term introduced in the NET+ Duo campus agreement around student usage. In the InCommon Duo agreement, there was confusion around if campuses were responsible for potential student misuse of the Duo services. Campuses were concerned they had minimal control over students and in discussing this during service validation, we were able to agree that a campus would not be liable for students’ actions under this agreement provided that the campus:

  • has a campus-wide acceptable use policy that students are required to acknowledge and agree to;
  • notifies Duo if the campus becomes aware of any actual or potential violations;
  • provides reasonable assistance to investigate; and
  • would enforce their acceptable use policy, including up to terminating student access. 

Please see Section 3.4 of the NET+ Duo campus agreement for the details. 

There also have been questions about export control; the NET+ Duo service advisory board is still discussing this with Duo. More information on the NET+ Duo service advisory board can be found on the website. Many thanks to Jacob Farmer from IU for stepping up as the first chair of this group! 

On the NET+ Duo service advisory board, we have continued to work with Duo on oversight of the program and discussing issues brought up by the community. We worked with Duo in June 2018 when Duo made a change to their privacy policy around people under 16, and have discussed GDPR with them. After the privacy policy discussion, Duo updated their privacy policy to address campus concerns. We have discussed with them the outage on 8/20 and 8/29 and that Duo is to minimize the chance of it happening again. 

Thank you to members of the higher education community who have helped make this program such a success over the years. We will continue to engage with Duo and the service advisory board on ways to improve and further scale the program.

If you have any feedback on the program, feel free to reach out to me at nlewis@internet2.edu or the email the group